[PATCH] jdk6-b45 retro-active security patch review

Andrew Brygin abrygin at azul.com
Mon Dec 25 10:00:50 UTC 2017 

Hello Dmitry,

 the change looks fine to me.

Thanks,
Andrew

> On Dec 21, 2017, at 7:10 PM, Dmitry Cherepanov <dcherepanov at azul.com> wrote:
> 
> Hello,
> 
> Here’s backport of security fixes (included in 8u151) to OpenJDK 6.
> 
> Changes since jdk6-b44
> 
>  * Security fixes:
> 
> 8181612, CVE-2017-10355: More stable connection processing
> 8169026, CVE-2017-10274: Handle smartcard clean up better
> 8174966, CVE-2017-10285: Unreferenced references
> 8180711, CVE-2017-10346: Better invokespecial checks
> 8181597, CVE-2017-10357: Process Proxy presentation
> 8181692, CVE-2017-10356: Update storage implementations
> 8181323, CVE-2017-10347: Better timezone processing
> 8174109, CVE-2017-10281: Better queuing priorities
> 8181432, CVE-2017-10348: Better processing of unresolved permissions
> 8178794, CVE-2017-10388: Correct Kerberos ticket grants
> 8184682, CVE-2016-9841:   Upgrade compression library
> 8181370, CVE-2017-10345: Better keystore handling
> 8181327, CVE-2017-10349: Better X processing
> 8176751, CVE-2017-10295: Better URL connections
> 
>  * Defense-in-depth fixes:
> 
> 8165543: Better window framing
> 8169966: Larger AWT menus
> 8170218: Improved Font Metrics
> 8171252: Improve exception checking
> 8175940: More certificate subject checking
> 8180024: Improve construction of objects during deserialization
> 
>  * Other fixes:
> 
> 8178714: PKIX validator nameConstraints check failing after change 8175940
> 8185040: Incorrect GPL header causes RE script to miss swap to commercial header for licensee source bundle
> 8179084: HotSpot VM fails to start when AggressiveHeap is set
> 8181048: Refactor existing providers to refer to the same constants for default values for key length
> 8185845: Add SecurityTools.java test library
> 8179423: 2 security tests started failing for JDK 1.6.0 u161 b05
> 8158517: Minor optimizations to ISO10126PADDING
> 8057810: New defaults for DSA keys in jarsigner and keytool
> 8185039: Incorrect GPL header causes RE script to miss swap to commercial header for licensee source bundle
> 8186503: sun/security/tools/jarsigner/DefaultSigalg.java failed after backport to JDK 6/7/8
> 8179564: Missing @bug for tests added with JDK-8165367
> 8185778: 8u151 L10n resource file update
> 4963968: zlib should be upgraded to current version of zlib
> 8044725: Bug in zlib 1.2.5 prevents inflation of some gzipped files (zlib 1.2.8 port)
> 8035623: [parfait] JNI exception pending in jdk/src/windows/native/sun/windows/awt_Font.cpp
> 8157561: Ship the unlimited policy files in JDK Updates
> 8165367: Additional tests for JEP 288: Disable SHA-1 Certificates
> 6850720: (process) Use clone(CLONE_VM), not fork, on Linux to avoid swap exhaustion
> 6866719: Rename execvpe to avoid symbol clash with glibc 2.10
> 6853336: (process) disable or remove clone-exec feature (6850720)
> 6868160: (process) Use vfork, not fork, on Linux to avoid swap exhaustion
> 
> Note that the following fixes were included into this release after being postponed from July 2017 jdk6-b44
> 
> 8176536: Improved algorithm constraints checking
> 8179998: Clear certificate chain connections
> 8179101: Improve algorithm constraints implementation
> 
> Webrevs for the changes:
> 
> http://cr.openjdk.java.net/~dcherepanov/openjdk6/Oct_2017/webrevs/root/webrev/
> http://cr.openjdk.java.net/~dcherepanov/openjdk6/Oct_2017/webrevs/corba/webrev/
> http://cr.openjdk.java.net/~dcherepanov/openjdk6/Oct_2017/webrevs/hotspot/webrev/
> http://cr.openjdk.java.net/~dcherepanov/openjdk6/Oct_2017/webrevs/jaxp/webrev/
> http://cr.openjdk.java.net/~dcherepanov/openjdk6/Oct_2017/webrevs/jaxws/webrev/
> http://cr.openjdk.java.net/~dcherepanov/openjdk6/Oct_2017/webrevs/jdk/webrev/
> http://cr.openjdk.java.net/~dcherepanov/openjdk6/Oct_2017/webrevs/langtools/webrev/
> 
> Please review.
> 
> Thanks,
> 
> Dmitry
>

More information about the jdk6-dev mailing list